In its latest Threat Index, Check Point revealed that RansomHub remains the most prevalent Ransomware group. Meanwhile, its researchers spotted a malicious Remcos campaign on Windows that exploits a recent security software update
Η Check Point Software Technologies Ltd.. provider of an AI-powered, cloud-delivered cybersecurity platform, has published its Global Threat Index (Global enviroment Threat Index) for July 2024. Despite the significant fall in June, the lockbit re-emerged last month and became the second most popular group ransomwareWhile RansomHub retained first place. Meanwhile, researchers have identified both a campaign that distributes malware Remcos after a problem updating it CrowdStrike, as well as a number of new tactics FakeUpdates, which once again topped the list of top malware for July.
A problem in CrowdStrike Falcon sensor for Windows results in cybercriminals to distribute a malicious file ZIP by name crowdstrike-hotfix.zip. This file contained the HijackLoader, which then activated the malware Remcos which ranks as the seventh most malicious software in July. The campaign targeted businesses that used instructions in the Spanish language and involved creating fake ones domains for attacks Phishing.
Meanwhile, the researchers uncovered a series of new tactics that use the FakeUpdates, which topped the malware rankings for another month. Users visiting exposed websites were presented with fake browser update prompts, which led to the installation of Trojan remote access (RAT) As the AsyncRAT, which is currently ranked ninth in its index Read our BuurtBankjes Factsheet XNUMX Point. It is worrying that cyber criminals have now started to exploit it BOINC, a platform intended for IT volunteers to gain remote control of infected systems.
“The continued persistence and resurgence of teams ransomware As the lock bit and RansomHub highlights cybercriminals' continued focus on ransomware, a significant, non-stop challenge for organizations with far-reaching implications for business continuity and data security. The recent exploitation of a security software update to distribute the malware Remcos further highlights the opportunistic nature of cybercriminals to develop malware, further compromising organizations' defenses. To counter these threats, organizations will need to adopt a multi-layered security strategy that includes strong endpoint protection, vigilant monitoring and user education to mitigate the onslaught of these increasingly massive cyberattacks,” said Maya Horowitz, VP of Research in Check Point Software.
Best malware families
*The arrows refer to the change in ranking compared to the previous month.
The FakeUpdates was the most prevalent malware last month with impact 7% in global organizations, followed by Androxgh0st with global impact 5% and agent Tesla with global impact 3%.
-
↔ FakeUpdates - The FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before launching them. The FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
-
↔ Androxgh0st - The Androxgh0st it is a botnet which targets platforms Windows, Mac and Linux. For the initial infection, the Androxgh0st exploits multiple vulnerabilities, specifically targeting PHPUnit, the Laravel Framework and Apache Web Server & Hosting. The malware steals sensitive information, such as account information Twilio, credentials SMTP, key AWS etc. It uses files Laravel to collect the required information. It has different variants which scan for different information.
-
↔ agent Tesla - The agent Tesla is an advanced one RAT that works as keylogger and information thief, which is capable of monitoring and collecting the victim's keyboard input and the keyboard itself, taking screenshots and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and email program Microsoft Outlook).
-
↑ Formbook - The Formbook it is a info stealer targeting the operating system Windows and was first identified in 2016. Available on the market as Malware as a Service (MaaS) in underground forums hacking for its powerful avoidance techniques and its relatively low price. The FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.
-
↓ Qbot - The Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities and develop additional malware. It is often distributed through spam Email and uses various techniques anti-VM, anti-debugging and anti-sandbox to block analysis and avoid detection. Starting in 2022, it emerged as one of the most popular Trojans.
-
↔ Remcos - The Remcos it is a RAT which first appeared in 2016. The Remcos distributed through its malicious documents Microsoft Office Manager, which are attached to emails SPAM, and is designed to bypass security UAC of Microsoft Windows and run malware with elevated privileges.
-
↔ Phorpiex - The Phorpiex it is a botnet known for distributing other malware families through campaigns spam, as well as to feed campaigns SEXTORTION big scale.
-
↑ Vidar - The Vidar is a malware infostealer that works as malware-as-a-dedicated and was first discovered in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware.
-
↓ AsyncRat - The Asyncrat it is a Trojan which targets the platform of Windows. This malware sends information about the targeted system to a remote server. It receives commands from the server to download and run plugins, kill processes, uninstall/update itself, and take screenshots of the infected system.
-
↓ NJRat - The NJRat it is a Trojan remote access, mainly targeting government agencies and organizations in the Middle East. The Trojan it first appeared in 2012 and has multiple capabilities: logging keystrokes, accessing the victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. The NJRat infects victims through attacks Phishing and drive-by downloads and is spread through infected keys USB or network drives, with server software support Command & Control.
Top exploited vulnerabilities
-
↑ Command Injection About HTTP (CVE-2021-43936,CVE-2022-24086) - A command injection vulnerability has been reported HTTP. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
-
↑ Zyxel ZyWALL Command Injection (CVE-2023-28771( – A command injection vulnerability exists in the Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system.
-
↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) - The headlines HTTP allow the client and server to transfer additional information with one request HTTP. A remote intruder can use a vulnerable header HTTP to execute arbitrary code on the victim's machine.
-
↔ Apache HTTP Server & Hosting Directory traverse (CVE-2021-41773) - A directory traversal vulnerability exists in the Apache HTTP Server & Hosting. Successful exploitation of this vulnerability could allow an attacker to gain access to arbitrary files on the affected system.
-
↓ Web Servers Malicious URL Directory traverse (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
-
↓ TP-Link Archer AX21 Command Injection (CVE-2023-1389) - A command injection vulnerability exists in the TP-Link Archer AX21. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
-
↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) - A remote code execution vulnerability exists in MVPower CCTV DVR. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
-
↓ Dash GPON Router Authentication Bypass (CVE-2024-3273) - There is a command injection vulnerability in the PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands on the affected system.
-
↔ PHP Easter Egg Information Disclosure (CVE-2015-2051) - A page information disclosure vulnerability has been reported PHP. The vulnerability is due to a misconfiguration of the web server. A remote attacker could exploit this vulnerability by sending a specially crafted address URL on an affected page PHP.
-
↑ NETGEAR DGN Command Injection - There is a command injection vulnerability in the NETGEAR DGN. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Best Mobile Malware
Last month the Joker was at the top of the most prevalent mobile malware, followed by Anubis and AhMyth.
-
↔ Joker - A android Spyware on Google Play, designed to steal messages SMS, contact lists and device information. Additionally, the malware registers the victim, without their knowledge, for premium services on advertising sites.
-
↔ Anubis - The Anubis is a banking malware Trojan which is designed for mobile phones Android. Since its discovery, it has acquired additional functions, such as operation Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.
-
↔ AhMyth - The AhMyth it is a Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera, which is commonly used to steal sensitive information.
Top-Attacked Industries Globally
Last month Education / Research remained the number one attacking industry globally, followed by Government/Army And the Communications.
1. Education/Research
2. Government / Army
3. Communications
Best Ransomware Groups
The data is based on information from known as “shame sites” websites that manage them by groups double-extortion ransomware and publish information about victims. The RansomHub is the most widespread group ransomware this month, responsible for 11% of published attacks, followed by lock bit3 with 8% and Akira with 6%.
-
RansomHub - The RansomHub is a business Ransomware-as-a-Service (RaaS) which emerged as an upgraded version of the previously known ransomware Knight. It RansomHub, which appeared in early 2024 on underground cybercrime forums, quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, MacOS, Linux and particular environments VMware ESXi. This malware is known for using sophisticated encryption methods.
-
lock bit3 - The lockbit it is a ransomware, which operates on a model RaaS and was first reported in September 2019. The lockbit targets large businesses and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
-
Akira - The Akira Ransomware, first reported in early 2023, targets both systems Windows as well as in systems Linux. It uses symmetric encryption with CryptGenRandom() and Nanny 2008 for file encryption and is similar to ransomware Accounts v2. The Akira distributed through various means, including infected attachments Email and exploits at endpoints VPN. After infection, it encrypts data and adds a '.akira» in the filenames, and then presents a ransom note demanding payment for decryption.